Washington Post Targeted by Chinese Hackers

A sophisticated cyberattack targeted The Washington Post in an operation that resembled intrusions against other major American news organizations and that company officials suspect was the work of Chinese hackers, people familiar with the incident said.

Post company officials confirmed the broad outlines of the infiltration, which was discovered in 2011 and first reported by an independent cybersecurity blog on Friday. But they did not elaborate on the circumstances, the duration of the intrusion or its apparent origin.

“Like other companies in the news recently, we face cybersecurity threats,” Post spokeswoman Kris Coratti said. “In this case, we worked with [security company] Mandiant to detect, investigate, and remediate the situation promptly at the end of 2011. We have a number of security measures in place to guard against cyberattacks on an ongoing basis.”

The New York Times and the Wall Street Journal reported this week on major hacking campaigns they said likely originated in China.

The Times and The Post used the same Alexandria-based security company, Mandiant, to secure their systems. Grady Summers, a vice president at Mandiant, declined to comment on the intrusion at The Post but said that in general, Chinese government hackers “want to know who the sources are, who in China is talking to the media. . . . They want to understand how the media is portraying them — what they’re planning and what’s coming.”

The Chinese Embassy in Washington and officials in Beijing did not respond to calls for comment. When questioned by The Post on Thursday about cyberattacks on media organizations, China’s Defense Ministry said, “The Chinese military has never supported any hack attacks. Cyberattacks have transnational and anonymous characteristics. It is unprofessional and groundless to accuse the Chinese military of launching cyberattacks without any conclusive evidence.”

The cyberattack targeted The Post’s main information technology server and several other computers, said people familiar with the incident who spoke on the condition of anonymity to describe details the company did not release publicly.

These people said that sensitive administrative passwords likely were compromised, giving hackers potentially wide-ranging access to The Post’s systems before the computers were taken offline and enhanced monitoring was put in place to prevent a recurrence. It was not clear what information, if any, was stolen by the hackers.

The intruders gained access as early as 2008 or 2009, according to these accounts. In 2011, Mandiant neutralized the malicious software, which had been sending a signal to an Internet command-and-control server associated with a Chinese hacking group.

This description tracks in general terms with one posted Friday on the blog “Krebs on Security,” authored by former Washington Post reporter Brian Krebs. He quoted an unidentified former information technology employee at the company.

Krebs’s report included the assertion that The Post turned over one of its servers to the National Security Agency and the Defense Department for analysis. That would be an unusual step for a news organization that traditionally has carefully guarded the security of its e-mail and other information from government intrusion.

“We are confident that did not happen,” Coratti said. Other Post officials speaking on condition of anonymity said the company would investigate the claim.

The National Security Agency and the Defense Department declined to comment.

Though U.S. news organizations and other companies frequently are the target of cyber-espionage, the extent of the Post intrusion appears to have been unusual and was kept secret from most company employees.

After the report by Krebs on Friday, some Post journalists grumbled about not being alerted to the intrusion and expressed concern that outside hackers may have had access to their e-mails or documents kept on their computers. Reporting that dealt with dissidents or political issues in China would have been especially sensitive.

“Nobody told me a word. Wish they had,” said longtime Post foreign correspondent Keith B. Richburg, who was acting bureau chief in Beijing at the time of the cyberattack and is leaving the company for a job at Harvard University.

He said that correspondents based in China assumed they were being monitored by the government there and took measures to protect sources and evade spying — especially while working in offices owned by the government or while reporting by e-mail. “We always joked that if the toilet didn’t flush, we could stand in the middle of the room and say, ‘Can’t they fix the toilet?’ ”

Security experts regard the Chinese government as the most aggressive hackers of Western companies and government agencies.

“What we’re seeing now is the end of a decade-long drive toward complete visibility into all computer networks of interest,” said Steven Chabinsky, a former senior FBI cyber-official who now works for the security company CrowdStrike.

China’s cyber-espionage assists the government’s broader efforts to quell internal dissent by identifying activists and dissidents and tracking them through their e-mail. China has been accused of hacking the servers of Google to obtain dissidents’ e-mail and of targeting nonprofit groups and think tanks that study China.

Some analysts say that more transparency is needed to address the issue. Google in January 2010 became the first company to disclose voluntarily it had been hacked through an intrusion originating in China. It also disclosed that its investigations had turned up dozens of other companies that had similarly been penetrated by China in hopes that some of them would also disclose the hacking. None did, though Intel later disclosed in a regulatory filing it had been targeted.

“If every company reported when it was hacked and who it was hacked by, it would be harder [for China] to get away with it,” said one industry official, speaking on condition of anonymity because he was not authorized by his company to speak on the record.

Chabinsky agreed. “It’s easy to dismiss one or two companies,” he said. “It’s harder if 100 companies come together and say, we’ve analyzed where it’s coming from and it’s you, and it has to stop.”

James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, said that the U.S. government must be more forthcoming, too. “If the U.S. were to publish the intelligence it has, it would show a massive coordinated espionage effort by China that dwarfs what we see from other countries. This would make it very difficult to continue to pretend that things are going along in a normal fashion.”